This article helps you to build and enable robust web applications with respect to various aspects of securities that needs to be taken care while designing the system. The system that are design without considering the security assessment leads to non compliance and may come under security threats such systems are vulnerable to harmful attacks. The guide below will foster the strengthening of applications and mitigate a risk of probable attacks and reduce unathourised activities. The problem,scenario and solution statement stated here are .net centric. I tried to cover most essential security review items that causes maximum issues and non compliance.

In nutshell click of website can be hijacked by any website using click jacking technique. The basic idea behind this concept is making use of z-index property of DIV and IFrame Tag in html page. One can harm the transactions of actual website with dummy website placed just above the actual one. What happens here ? The malicious website will load the actual website page in its html IFrame and put the actual website in the background with transparency set to 'False'. Using this mechanism, dummy website will replicate/simulate the real website with all non -virtual buttons placed exactly above the real website and helping online users to perform the actions on actual website with information provided by dummy website with fraudulent motive.

The concept is pretty simple .The phishing website will be placed exactly just above the target website such that whatever action is performed on dummy website will trigger the events of actual website. This is how the foul play will lead to invalid transactions to take place and target website is vulnerable to click –jacking.

Real Time Scenario

Assume there is E-Commerce site where one can purchase the book online. There will be another website with exact replica but with few changes such that users are motivated to transact. A scenario where E-Commerce Site will have button with BUY caption and malicious site will have screen with masked non –event button ‘Donate’ just placed above it. Moment user clicks on masked non-event button ‘Donate’ in reality it will trigger the low level z-index Buy button. This is how hacker can misuse your website for their purpose.

Solution for Click Jacking Website

The below solution is strickely .net centric and every technology will have its own solution for this problem. The x-frame-options is the one area where we can restrict our website from being misused using click jack.

Solution 2: This works absolutely fine for all authentication mode.

Solution 3: We can directly set this restriction by adding custom X-Frame-options

The websites are vulnerable to click-jacking which can allow an attacker using Cross Site Scripting (XSS) to trick a user into clicking a malicious link Procedure to send out the X-Frame-Option Header Using IIS.

Open IIS (by run inetmgr command)

Go to the Website folder and right click on your website, & go to the Properties.

if any subdirectory website is there then IIS will ask you to override this to subdirectory website.

Ok and restart IIS by run iisreset command

Note: Ensure you either add DENY or SAMEORIGIN.Each one has its own significance. If one wants to apply at application level ,the simple solution is add below line of code in Global.asax file under following event.

HTTP Methods that can be exploited are enabled.The OPTIONS HTTP method is enabled. The OPTIONS method can be used in foot printing/profiling the application/server. the answer to this problem is URL Scan tool.

Why URL Scan?

UrlScan tool is a security tool that scans and restricts incoming HTTP requests that are processed by IIS. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being processed by web applications on the server.This tool enables options to apply security rules and policies that are must when http request is passed to or process by IIS. Its bit confusing for first time to understand a URL scan concept for any novice learner. Basically this tool provides a configuration template which helps us define our own rules or can use the existing rules as is if applicable to application and business requirement.

Advantage

It helps avoid running malicious code, requests that coming to IIS and which can be threat and harmful for overall website functioning.

What does it do?

The rules basically monitors and act as inspectors to restrict harmful incoming request send to IIS. But to make this work we need to install URLscan in web server where IIS is a hosting platform. Now this URL scan comes with default configuration settings. We can modify these configurations as per our requirement and leverage its benefits.

Where do we configure above ruleset?

All the above rules are presents in UrlScan.ini configuration and as per our business requirement or compliance we can reconfigure or add custom configurations in it. The sample configuration settings are given below.

Alternative to URL SCAN

URLScan applies rules to overall website at IIS level. If we want security norms to be applied to specific website and a module then one must look into Security code access options in .net. There are three essential practices that can help us apply security to specific files,directory(URL) and file type. Each of this comes with specification and requirement of its own.

1)FileAuthorizationModule

This basically works with respect to ACL list of file related to .aspx or .asmx. If we rely on IIS for authentication then we need asp.net impersonation. This impersonation works with windows Identity and it’s based on identity token passed to IIS. This is all about impersonation. I won’t take much time explaining all this for now. I just want reader to focus on security code access and spend time understanding the concepts and theory behind it. Mostly we face security enablement issues in MOSS and PPS installation where we need to setup environment right in first time and then all it goes with codes and deliverables.

Usually we have three main line item for URL authorization. It needs role based security module in place where we can have domain groups with role assigned to users for specific business requirement. Coming to Verbs, this is HTTP Method type that can be GET-POST-HEAD-OPTIONS-TRACE-FIND and so on. This is what we saw in URL SCAN TOOL. Based upon our server environment we can set this HTTP Method type. Say for example we may enable TRACE and Options in test and development environment whereas we don’t want this to be there in production as it may harm performance and leak information related to server or configurations that are in place.

HttpForbiddenHandler: Exclude Unnecessary Unsed File Extension

Disable remoting, batch files, executable on internet facing web servers.(.rem,.soap,.bat,.exe). Additionally if we know a given set of extension files are not been used in our application we can assigned it under HttpForbiddenHandler. Ref: Implement HttpForbiddenHandler In IIS Ref: Securing Web Server

The application has directory listing enabled allowing users to see internal view of application and all pages available.Say for example- You've website NewBee-Website with directory listing such as Website/Image, Website/Script, Website/UI

Normally user will browse application pointing to this source website https://NewBee.com. The site will work as expected.

Senario1- If ignorantly one type url address such as https://Newbee.com/UI then in such case it will list all files under that directory/folder . Doing this your site is vulnerable to security threat. You allow user to guess the directory structure.

Scenario2- Suppose if directory listing is prohibited and http request error code 403 is enabled then user will get message directory browsing is forbidden. That means the UI-folder directory is valid and UI named folder exist in some form. This provides one step accessibility options to hacker so as to educate one about directory structure and files placement.

Remediation and workaround

Disabled directory listing- Check for Custom Error 403 is set

Configure web server to display a HTTP 404 error page in the cases when a user tries to perform a directory traversal. Display an HTTP 404 error instead of HTTP 403 error as a malicious user can use the HTTP 403 error to map the applications structure.

Why Custom error message?Enable customerror page option in web.config file Never ever reveal the source level error message to end users. This will help users to understand the symantics of your code and flow. For any application level exception it is good practice to display custom error page.

This secure cookies attribute prevents the cookie from being sent to HTTP traffic.Set the SECURE flag on all cookies: Whenever the server sets a cookie, arrange for it to set the SECURE flag on the cookie. The SECURE flag tells the user's browser to only send back this cookie over SSL-secure HTTPS connections; the browser will never send a SECURE cookie over an unencrypted HTTP connection. The simplest step is to set this flag on every cookie your site uses.

Application Hardening- Few hard facts that are prerequsites and first level security based application hardening that are must and one has to take care.

Handle SQL injection. URL scan also help prevent sql injection. Handle sql injection in sql script as well as in front end level. What is required is, deterministic client side validation. Try to use as much as client side validation and use server side only when it required most.

Always encrypt querystring if used in your application. The querystring expose the application data and helps user gather more information to hack the site.

It’s good to incorporate the necessary key security best practices during design phase thus ensuring system is not at risk and at the same time it is hack-resilient.The references given in this article is really very informative and I insist the reader should take some time going through this. I hope I justified the reader's expectation and it must have helped them in a good way.

Thanks for sharing a nice set of IIS security configuration rules! However, for empty directories or directories with static files only, I managed to make the proposed decision for 403 to 404 HTTP error conversion work only after adding aspnet_isapi.dll as the wildcard application map in the virtual directory configuration. Is this the supposed way to go? And are there some possible side effects to keep in mind after making all IIS requests to be handled by ASP.Net?

Useful, but there are many syntax and grammar errors that make it reading difficult. Some of the proposed suggestions are by default implemented in ASP.NET and this should be noted (in order to avoid losing time on checking these for a new site).